Cybercriminals create boobytrapped PDF files, exploiting vulnerabilities in PDF reading software such as Adobe Reader, and either spam them out to unsuspecting victims or plant them on websites where they lie in wait for visitors.

Just the simple act of opening the PDF file can exploit a vulnerability to automatically download malicious code from the internet, and display a decoy PDF file to trick you into believing that nothing wrong has happened.

Check out the following video by our own Chet Wisniewski, showing how a PDF can help hackers pwn your PC:

Post navigation

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter: <a href="https://twitter.com/gcluley">@gcluley</a>.

Thanks for the very helpful information. I have learned more about PC security from SOPHOS than everyone else combined. Are you guys ever going to release a complete security software package like Norton 360 for the home user? Thanks for all the great tips.

A few years ago, I stopped using Adobe Reader due to the bloat, resource usage & the endless security flaws. I found Foxit Reader to be more streamlined & doesn't run when not in use if set up properly. I don't allow scripting etc & have it set up not to open pdf's while browsing. I know there's still risks, but as an older person who just uses the internet via one home pc & not shared, I think it's about as good as I can get it, as far as safety is concerned. I don't surf the kind of sites known for malware, although I know any site can be infected.

I have a routine each day before I start browsing, to update my security programs, then check FileHippo for new updates to programs I have installed. I also use Secunia's PSI program & have for a long while & the scores come up as 100%.
I think a good practice is to only have programs installed that are actually used & not just sitting there taking up space & likely not updated since they can easily be forgotten about. It helps a little to cut down on risks & may free up some resources too.

To be honest, I'm not sure why the average person that uses a pc for simple tasks needs a program as bloated as Adobe Reader.

Adobe Reader, Flash & Java hopefully in time will be replaced with safer alternatives, until then, I try to be careful about the settings on each.

Have I understood this correctly? Chet seemed to say that, because the malware was signed before the certificate's expiration date, it would continue to be counted as valid even when the certificate is subsequently revoked.

If that is how things work, it's not good. We can shut the stable door after the (Trojan) horse has bolted, but can't send the beast to the glue factory.

Thanks for the demo on the Adobe reader attack, excellent demo; just goes to show antivirus, firewalls and all protection applications need to be constantly kept <up to date>. I think its time to make all email's tracable back to source or they just does get delivered, shame we cannot get server to scan attachments for valid certificates.

The more we learn the more difficult it makes for professional and amateur virus writers.

I think governments should consider making hardware manufactures to be forced to install GPS systems into motherboards and processors so we can trace location of sender by difference between ethernet and GPS receiver times; we have advanced mobile detection now we need tracability on computers.

I think the author and demonstrator was saying if you do not have the latest updates installed, then your computer security certificates will be out of date, hence the virus runs and the chance the old certificate will still think it is valid. Updating all user applications on your computer with latest patches ensures all security certificates are <up to date> so your security systems knows if an old invalid or compromised centificate is used and it should been rejected and should be automatically reported to your security provider.

I'd like some clarification on the process of updating certificates. I know that there are new CRLs distributed as part of Windows updates – are these the only ones which are needed? Chet referred to downloading a list from Verisign – was that just because it was easier to check the serial number or is that something we need to do?

I use Evince with my Debian install, and i don't even worry about this nonsense. Of course, I don't worry about it anyway since i don't own an open door to attacks (Windows) or don't allow it online if I do.

Usually I don’t watch these because I can’t hear the sound. However, I was very happy to see the “CC” button and turned on closed captioning. But then I was totally disappointed once again because almost 10%-20% of the words were totally meaningless. Like this phrase at 1:24 in the video: “was a pediatric bark off clinic from david live better that’s going to be”. I tried to watch (read) the remainder of the video, but it only got worse. Really? That’s the BEST you can do? I was hoping to learn something today, which I did, mostly from the comments section.

But thanks for trying, maybe next time you’ll pay more attention to your work product. How about just a simple transcript for those of us who know how to read.

(As an aside – transcripts sound "simple", as you say, but they take ages to do properly. None of us here at Naked Security is a stenographer, so we type much more slowly and inaccurately than we speak. I know that's not an explanation – more of an excuse – but there you go 🙂

Please give us feedback on our non-machine transcripts, so we can improve the clarity, layout and timing. Transcripts are tricky when you have things which are written very differently from how they're spoken, such as "Notepad.exe" 🙂